Heiner, its a legal keyinfo if both, the issuer serial and the SKI point to the _same_ certificate. Thus an implementation can use either of the two (or both) to get/identify a certificate.
Regards, Werner > -----Urspr�ngliche Nachricht----- > Von: Heiner Westphal [mailto:[EMAIL PROTECTED] > Gesendet: Freitag, 25. Juni 2004 14:44 > An: [EMAIL PROTECTED] > Betreff: Re: sun.security.util.DerValue not available on IBM SDKs > > > I digged some more... > > It seems sun's DerValue class is only used, if > the xml signature keyinfo contains an <X509SKI> element > (signatures without work). > > This is what I get. I'm not sure if this is a legal keyinfo. > If the combination of issuer/serial and ski is not ok, I can > move the problem ownership to the sender :) > > <KeyInfo> > <X509Data> > <X509IssuerSerial> > <X509IssuerName> > C=DE,O=Secret GmbH, OU=development,CN=TestSecret > </X509IssuerName> > <X509SerialNumber>7711026923132787338</X509SerialNumber> > </X509IssuerSerial> > <X509SKI>aTTp+EejjS30eFH+UObfuscaTeME=</X509SKI> > </X509Data> > </KeyInfo> > > Regards, > > Heiner > > Heiner Westphal wrote: > > > Hello! > > > > Im using xml-security java 1.1.0 on an AIX with > > IBM SDK 1.4.1. > > > > In org.apache.xml.security.keys.content.x509.XMLX509SKI > > an object of class sun.security.util.DerValue is used, which > > should not be according to > > http://java.sun.com/products/jdk/faq/faq-sun-packages.html > > > > When I'm trying to read a specific certificate I get: > > Exception in thread "main" java.lang.NoClassDefFoundError: > > sun/security/util/DerValue. > > This does not happen, if I use a selfsigned cert created with > > keytool and keyalg=DSA. > > > > If anyone knows a quick workaround, please tell me. > > > > P.S.: The calling code is attached, trace below. > > trace is (sorry, no line numbers, > > ... means org.apache.xml.security.): > > > > Exception in thread "main" java.lang.NoClassDefFoundError: > > sun/security/util/DerValue > > at > ...keys.content.x509.XMLX509SKI.getSKIBytesFromCert(Unknown Source) > > at ...keys.content.x509.XMLX509SKI.<init>(Unknown Source) > > at ...keys.keyresolver.implementations.X509SKIResolver. > > > engineResolveX509Certificate(Unknown Source) > > at > ...keys.keyresolver.KeyResolver.resolveX509Certificate(Unknown Source) > > at > ...keys.KeyInfo.getX509CertificateFromStaticResolvers(Unknown Source) > > at ...keys.KeyInfo.getX509Certificate(Unknown Source) > > - HERE starts my custom code, see attachement - > > > > > > > -------------------------------------------------------------- > ---------- > > > > /** > > * Get a certificate that matches the given keyinfo. > > * @param keyInfo Keyinfo to check against. > > * @return certificate that matches the keyinfo. > > * @throws MyErrorException If no certificate was found just > > * because there was no > matching, or because > > * the keystore was broken. > > */ > > private X509Certificate getCertificate(final KeyInfo keyInfo) > > throws MyErrorException { > > if (keyInfo != null) { > > if (keyInfo.containsX509Data()) { > > X509Certificate cert; > > try { > > StorageResolver storageResolver = > > new StorageResolver(new > KeyStoreResolver(keyStore)); > > keyInfo.addStorageResolver(storageResolver); > > cert = keyInfo.getX509Certificate(); // HERE! > > } catch (StorageResolverException e) { > > throw new MyErrorException(e); > > } catch (KeyResolverException e) { > > throw new MyErrorException(e); > > } > > return cert; > > } else { > > throw new MyErrorException( > > "Message contains no KeyInfo. " + > "Cannot check dsig."); > > } > > } else { > > throw new MyErrorException( > > "Message contains no X509Data. " + "Cannot > check dsig."); > > } > > } >
